Skip to main content

Facebook passwords stolen by 25 malicious Android apps: What to do

Facebook on Android mobile phone
(Image credit: dennizn / Shutterstock.com)

Twenty-five malicious Android apps that were secretly designed to steal Facebook account credentials have been deleted from the Google Play Store.

According to French information-security firm Evina, the apps amassed over 2.34 million downloads before they were removed from the Play Store in early June. 

In a blog post, Evina's researchers wrote: “This malware could effectively ruin your online and offline life by making off with the credentials of one of your most valued pieces of digital real estate.” 

The apps also bombarded users with ads and opened new web-browser tabs, according to angry user reviews on Google Play that were captured by Evina. It's not clear how many users ended up having their Facebook credentials stolen.

Tricking users

To trick Android users into downloading them, the 25 malicious apps masqueraded as games, flashlights, wallpapers, image and video editing software, QR code scanners, step counters and file managers.

While the apps performed these functions, the researchers said the apps could also “check if the Facebook app is running in foreground”. 

If that was the case, the apps would then try to fool users into entering their Facebook credentials into a fake Facebook login page. 

“When an application is launched on your phone, the malware queries the application name," said the Evina blog post. "If it is a Facebook application, the malware will launch a browser that loads Facebook at the same time."

“The browser is displayed in the foreground which makes you think that the application launched it.”

Playing into hackers' hands

By performing these actions, users were effectively sending their Facebook credentials directly to hackers -- except they didn’t know.

The researchers explained: “When you enter your credentials into this browser, the malware executes JavaScript to retrieve them. The malware then sends your account information to a server.”

Evina discovered the malicious apps in May and subsequently reported them to Google. After reviewing the findings, Google went on to remove them at the start of June. 

 “Downloading unknown or low reviewed apps on the Play Store can be fraught with danger," Jake Moore, a security specialist at ESET, told Tom’s Guide.

"These apps can cause damage to a device or even steal credentials such as passwords and one time passwords. I would always suggest users fully research apps before they think of installing them. 

He added: “Malware can lurk around on legitimate app stores but they are easier to distinguish form genuine apps as download numbers will usually be low. My advice would be to stick to well-known apps with good reviews and trusted app stores. 

“Furthermore, to protect your social media and other accounts from being hacked, make sure you turn on two factor authentication in case your details are ever compromised.”

To that, we'd add that one of the best Android antivirus apps will help protect your phone from malicious apps such as these, whether they come from Google Play or "off-road" app markets.